From 43ee227b7c5a5c186b07927f89d2f89fd9f55c52 Mon Sep 17 00:00:00 2001
From: Alban Crequy
Date: Tue, 19 Aug 2014 15:31:10 +0100
Subject: [PATCH] config: set DEFAULT_MESSAGE_UNIX_FDS to 16
Before this patch, the system bus had the following default configuration:
- max_connections_per_user: 256
- DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176)
as defined by configure.ac
- max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
- max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
- max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024
This means that a single user could create 256 connections and transmit
256*4096 = 1048576 file descriptors.
The file descriptors stay attached to the dbus-daemon process while they are
in the message loader, in the outgoing queue or waiting to be dispatched before
D-Bus activation.
dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the
limit is reached and dbus-daemon needs to receive a message with a file
descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC.
Dbus-daemon cannot recover from that error because the kernel does not have any
API to retrieve a file descriptor which has been discarded with MSG_CTRUNC.
Therefore, it closes the connection of the sender. This is not necessarily the
connection which generated the most file descriptors so it can lead to
denial-of-service attacks.
In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to
16:
max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384
This is less than the usual "ulimit -n" (65536) with a good margin to
accomodate the other sources of file descriptors (stdin/stdout/stderr,
listening sockets, message loader, etc.)
https://bugs.freedesktop.org/show_bug.cgi?id=82820
---
configure.ac | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index cbaf874..1aaa1cb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1238,12 +1238,8 @@ if test x$with_valgrind != xno; then
AC_DEFINE([WITH_VALGRIND], [1], [Define to add Valgrind instrumentation])
fi
-# Determine maximum number of Unix fds which may be passed
-AS_CASE([$host_os],
- [*qnx*],
- [DEFAULT_MESSAGE_UNIX_FDS=256],
- [*],
- [DEFAULT_MESSAGE_UNIX_FDS=1024])
+# Keep the default low to avoid DoS issues, see fd.o #82820
+DEFAULT_MESSAGE_UNIX_FDS=16
AC_DEFINE_UNQUOTED([DBUS_DEFAULT_MESSAGE_UNIX_FDS],
[$DEFAULT_MESSAGE_UNIX_FDS],
[Default for dbus_connection_get_max_message_unix_fds()])
--
1.8.5.3